Re: ISSUE-103: Should unknown CAs and self-signed certificates be treated the same way? [Techniques] from Thomas Roessler on 2007-08-29 (public-wsc-wg@w3.org from August 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 29 Aug 2007 23:18:38 +0200
To: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Cc: public-wsc-wg@w3.org
Message-ID: <20070829211838.GA4170@raktajino.does-not-exist.org>

On 2007-08-12 14:53:34 +0000, Web Security Context Working Group Issue Tracker wrote:

> ISSUE-103: Should unknown CAs and self-signed certificates be
> treated the same way? [Techniques]
> 
> http://www.w3.org/2006/WSC/track/issues/
> 
> Raised by: Thomas Roessler
> On product: Techniques
> 
> Assuming that self-signed certificates are treated as pure
> containers, what should the treatment be for unknown CAs?
> 
> Choices include:
> 
> - Perform path validation and cause errors as one would for a known and
>   trusted CA, but don't display identity indicator?  (This would effectively
>   make the "weak" and "strong" TLS notions orthogonal to whether we trust a CA.)
> 
> - Ignore path validation and treat as pure containers for cryptographic material?

- Treat like self-signed certificates also with regard to the
  probation period?

Also, I suspect that the "weak policy OIDs" bucket [see ACTION-287]
might hold some relevance for resolving this issue.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 29 August 2007 21:18:57 UTC